How Apple and Amazon security flaws led to an epic hacking

In the space of one hour, my entire digital life was destroyed.
First my Google account was taken over, then deleted. Next my
Twitter account was compromised, and used as a platform to
broadcast racist and homophobic messages. And worst of all, my
AppleID account was broken into, and my hackers used it to remotely
erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were
daisy-chained together. Getting into Amazon let my hackers get into
my Apple ID account, which helped them get into Gmail, which gave
them access to Twitter. Had I used two-factor authentication for my
Google account, it's possible that none of this would have
happened, because their ultimate goal was always to take over my
Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I
wouldn't have had to worry about losing more than a year's worth of
photos, covering the entire lifespan of my daughter, or documents
and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret
them.

But what happened to me exposes vital security flaws in several
customer service systems, most notably Apple's and Amazon's. Apple
tech support gave the hackers access to my iCloud account. Amazon
tech support gave them the ability to see a piece of information --
a partial credit card number -- that Apple used to release
information. In short, the very four digits that Amazon considers
unimportant enough to display in the clear on the web are precisely
the same ones that Apple considers secure enough to perform
identity verification. The disconnect exposes flaws in data
management policies endemic to the entire technology industry, and
points to a looming nightmare as we enter the era of cloud
computing and connected devices.

This isn't just my problem. Since Friday, Aug. 3, when hackers
broke into my accounts, I've heard from other users who were
compromised in the same way, at least one of whom was targeted by
the same group.

Moreover, if your computers aren't already cloud-connected
devices, they will be soon. Apple is working hard to get all of its
customers to use iCloud. Google's entire operating system is
cloud-based. And Windows 8, the most cloud-centric operating system
yet, will hit desktops by the tens of millions in the coming year.
My experience leads me to believe that cloud-based systems need
fundamentally different security measures. Password-based security
mechanisms -- which can be cracked, reset, and socially engineered
-- no longer suffice in the era of cloud computing.

I realised something was wrong at about 5 p.m. on Friday. I was
playing with my daughter when my iPhone suddenly powered down. I
was expecting a call, so I went to plug it back in.

It then rebooted to the setup screen. This was irritating, but I
wasn't concerned. I assumed it was a software glitch. And, my phone
automatically backs up every night. I just assumed it would be a
pain in the ass, and nothing more. I entered my iCloud login to
restore, and it wasn't accepted. Again, I was irritated, but not
alarmed.

I went to connect the iPhone to my computer and restore from
that backup -- which I had just happened to do the other day. When
I opened my laptop, an iCal message popped up telling me that my
Gmail account information was wrong. Then the screen went gray, and
asked for a four-digit PIN.

I didn't have a four-digit PIN.

By now, I knew something was very, very wrong. For the first
time it occurred to me that I was being hacked. Unsure of exactly
what was happening, I unplugged my router and cable modem, turned
off the Mac Mini we use as an entertainment center, grabbed my
wife's phone, and called AppleCare, the company's tech support
service, and spoke with a rep for the next hour and a half.

It wasn't the first call they had had that day about my account.
In fact, I later found out that a call had been placed just a
little more than a half an hour before my own. But the Apple rep
didn't bother to tell me about the first call concerning my
account, despite the 90 minutes I spent on the phone with tech
support. Nor would Apple tech support ever tell me about the first
call voluntarily -- it only shared this information after I asked
about it. And I only knew about the first call because a hacker
told me he had made the call himself.

At 4:33 p.m., according to Apple's tech support records, someone
called AppleCare claiming to be me. Apple says the caller reported
that he couldn't get into his .Me e-mail -- which, of course was my
.Me e-mail.

In response, Apple issued a temporary password. It did this
despite the caller's inability to answer security questions I had
set up. And it did this after the hacker supplied only two pieces
of information that anyone with an internet connection and a phone
can discover.

At 4:50 p.m., a password reset confirmation arrived in my inbox.
I don't really use my .Me e-mail, and rarely check it. But even if
I did, I might not have noticed the message because the hackers
immediately sent it to the trash. They then were able to follow the
link in that e-mail to permanently reset my AppleID password.

At 5:02 p.m., they reset my Twitter password. At 5:00 they used
iCloud's "Find My" tool to remotely wipe my iPhone. At 5:01 they
remotely wiped my iPad. At 5:05 they remotely wiped my MacBook.
Around this same time, they deleted my Google account. At 5:10, I
placed the call to AppleCare. At 5:12 the attackers posted a message to my account
on Twitter taking credit for the hack.

By wiping my MacBook and deleting my Google account, they now
not only had the ability to control my account, but were able to
prevent me from regaining access. And crazily, in ways that I don't
and never will understand, those deletions were just collateral
damage. My MacBook data -- including those irreplaceable pictures
of my family, of my child's first year and relatives who have now
passed from this life -- weren't the target. Nor were the eight
years of messages in my Gmail account. The target was always
Twitter. My MacBook data was torched simply to prevent me from
getting back in.

Lulz.

I spent an hour and a half talking to AppleCare. One of the
reasons it took me so long to get anything resolved with Apple
during my initial phone call was because I couldn't answer the
security questions it had on file for me. It turned out there's a
good reason for that. Perhaps an hour or so into the call, the
Apple representative on the line said "Mr. Herman, I…."

"Wait. What did you call me?"

"Mr. Herman?"

"My name is Honan."

Apple had been looking at the wrong account all along. Because
of that, I couldn't answer my security questions. And because of
that, it asked me an alternate set of questions that it said would
let tech support let me into my .Me account: a billing address and
the last four digits of my credit card. (Of course, when I gave
them those, it was no use, because tech support had misheard my
last name.)

It turns out, a billing address and the last four digits of a
credit card number are the only two pieces of information anyone
needs to get into your iCloud account. Once supplied, Apple will
issue a temporary password, and that password grants access to
iCloud.

Apple tech support confirmed to me twice over the weekend that
all you need to access someone's AppleID is the associated e-mail
address, a credit card number, the billing address, and the last
four digits of a credit card on file. I was very clear about this.
During my second tech support call to AppleCare, the representative
confirmed this to me. "That's really all you have to have to verify
something with us," he said.

We talked to Apple directly about its security policy, and
company spokesperson Natalie Kerris told Wired, "Apple takes
customer privacy seriously and requires multiple forms of
verification before resetting an Apple ID password. In this
particular case, the customer's data was compromised by a person
who had acquired personal information about the customer. In
addition, we found that our own internal policies were not followed
completely. We are reviewing all of our processes for resetting
account passwords to ensure our customers' data is protected."

On Monday, Wired tried to verify the hackers' access technique
by performing it on a different account. We were successful. This
means, ultimately, all you need in addition to someone's e-mail
address are those two easily acquired pieces of information: a
billing address and the last four digits of a credit card on file.
Here's the story of how the hackers got them.

Comments

Sobering story, and a huge wake-up call. As ever, the quality and security of any process or system is at it's weakest when human decision-making is required. 'Ok Computer?' indeed....

In the first paragraph, I'd personally say the broadcast of racist and homophobic messages on Twitter is 'worst of all'.

George

Aug 7th 2012

In reply to George

YEs, horrifing imagine someone doing something so heinous as hacking your twitter account, I would just like, die with shame.

Dave

Aug 7th 2012

A fascinating and very loud wake up call to the companies behind this. It should be up to the companies not the consumer to ensure that their data is held safely. The companies have asked for this data and therefore it is their responsiblity to hold it securely.

Mostly I was disgusted to read some of the comments on the Tumblr account, fanboys took a whole new meaning on there. Some really awful stuff which shows the darker side of the internet, people would never say those things in person, but behind a keyboard and a faceless screen they can say whatever they want.

Mal

Aug 7th 2012

It makes for grim reading, being a pretty simple to execute hack. However, I'm afraid I lost some sympathy at the part where the MacBook wasn't backed up regularly. I can understand the loss of baby photos being the part of this that really sucks most, so I'm slightly gobsmacked the MacBook wasn't backed up for that length of time. Even without a hack, if the drive in the MacBook had failed - poof - data gone.

Effie

Aug 7th 2012

Would this have been avoided by selling your online world to Android instead of Apple?They don't use credit card authentication... but then again, to reset password for gmail accounts you don't get telephone support who can be tackled with social engineering tricks, but there is also no telepohone support to help fix it when something real bad like this happens...

Squirrel_masher

Aug 7th 2012

Great piece Mat, and written for layman and geek alike consumption. Sorry I came across it so late, I would have loved to have shared it a fortune 100 IT security related board meeting I was part of recently. Although a lot of companies have thrown a lot of money into hardware and software to secure their systems, beyond the basic company-wide 'security awareness' speech, policy, or packet review, there's really nothing that enforces the true need for defense against human engineering. Including the need to really re-think how the entire human equation should factor into the frame-work of IT security as we continue to move forward into this digital age. I hope to read more about this subject from you and WIRED soon. Also, please know you have my deepest condolences for the lost of your personal digital information.

Gina

Oct 2nd 2012

Wow, thanks to this guy I can't buy anything on itunes because i've forgotton my security questions and you can't retrieve them